cbq.init and iptables NAT routing

cbq.init and iptables NAT routing

[Aaron Clausen]

I am running Linux 2.4.5 with two Ethernet cards as a NAT router (using
iptables).  I downloaded the cbq.init script so that I could try shaping the
traffic coming from and going to the internal network.  I am also using
iptables for IP accounting.  I can shape traffic on ETH1, which is the
inside NIC, but I cannot shape the traffic going out on ETH0.  None of the
traffic reaches my classes.  Is there any known incompatabilities between
cbq and iptables?

-- 
Aaron Clausen

Re: cbq.init and iptables NAT routing

[Cedric Blancher]

Le jeu 03/10/2002 à 18:30, Aaron Clausen a écrit :
> I am running Linux 2.4.5 with two Ethernet cards as a NAT router (using
> iptables).  I downloaded the cbq.init script so that I could try shaping the
> traffic coming from and going to the internal network.  I am also using
> iptables for IP accounting.  I can shape traffic on ETH1, which is the
> inside NIC, but I cannot shape the traffic going out on ETH0.  None of the
> traffic reaches my classes.  Is there any known incompatabilities between
> cbq and iptables?

No, I am not aware of such things, and I use cbq.init on a quite regular
basis.

You have to be very careful to where your packets are NATed and where
traffic shaping is acting. You also need to know exactly what kind of
rule you have to use in cbq.init.

Example :

	iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 10.0.0.1

OK. Inner interface will be eth1 (attached to 192.168.10.0/24) and the
other one is eth0 (10.0.0.1).
Traffic shaping is done at last routing point, between FORWARD and
POSTROUTING, R2 below :

--> PREROUTING --> R1 --> FORWARD --> R2 --> POSTROUTING

So, when packets are going outside, I will match packets that are
sourced from 192.168.10.0/24 :

RULE=192.168.10.0/24,

	!! as written in doc, pay attention to comma at the end of the
	!! rule, for it means we specify source address

And when packets are returning, they've been denated somewhere nere
PREROUTING, so have 192.168.10.0/24 as destination :

RULE=192.168.10.0/24

	!! no more comma, we give destination

So, to be quick, be careful to ending comma when you specify source
addresses, and be very careful of what kind of NAT you do. SNAT is
"after" shaping, while DNAT is "before" (considering original way).

Imho, you must have set up your eth0 rule with SNAT address, which does
not work, as explained below.

Hope this helps.

-- 
Cédric Blancher
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: cbq.init and iptables NAT routing

[Aaron Clausen]

On 3 Oct 2002, Cedric Blancher wrote:
>
> Imho, you must have set up your eth0 rule with SNAT address, which does
> not work, as explained below.

Here's the portion of my iptables script which sets up NAT.  Maybe you can
gleam something more from this.  It should be noted that I'm not using NAT
for security purposes, and I have it set up so my local public subnet can
see the NAT addresses.

iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to 10.102.106.2
iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT --to 64.251.69.2
iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.3 -j DNAT --to 10.101.106.2
iptables -t nat -A POSTROUTING -o eth0 -s 10.101.106.2 -j SNAT --to 64.251.69.3

iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.102.104.0/21 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.103.104.0/21 -j MASQUERADE


-- 
Aaron Clausen

Re: cbq.init and iptables NAT routing

[Cedric Blancher]

I checked the code, and discovered I was wrong. Shaping is done _after_
Netfilter, i.e. after POSTROUTING chain.

I just tried this :

RULE=192.168.10.1/32

I ping 192.168.10.1 and stats are growing, so it matches.
Then, I'll DNAT in OUTPUT 192.168.10.1 to 192.168.10.12

iptables -t nat -A OUTPUT -d 192.168.10.1 -j DNAT --to 192.168.10.12

It does not match anymore => DNAT is done _before_ shaping.

No I flush

iptables -t nat -F

then set

RULE=192.168.10.11/32,

I ping 192.168.10.1, and counters are growing. It matches. Then I set
SNAT :

iptables -t nat -A POSTROUTING -d 192.168.10.1 -j SNAT --to 192.168.10.2
ip addr add 192.168.10.2 dev eth0

So I use 192.168.10.2 to emit py pings. And my class is no more reached
=> SNAT is done _before_ shaping also...

If I set :

RULE=192.168.10.2/32,

Class is reached again. So I was wrong... Sorry.

To answer your message :

Le jeu 03/10/2002 à 22:15, Aaron Clausen a écrit :
> iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to 10.102.106.2

eth0 : RULE=64.251.69.2,
eth1 : RULE=10.102.106.2

> iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT --to 64.251.69.2

eth0 : RULE=64.251.69.2,
eth1 : RULE=10.102.106.2

[...]

> iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -j MASQUERADE

eth0 : RULE=<eth0_IP>,
eth1 : RULE=10.101.104.0/21

Hope this will help you at last, and sorry again for the mistake. Going
to bed now, seems to be high time ;)

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE